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Certificates are 
Everywhere 


Public-Facing 
Services 


Internal Services 


-Mü 
mu amazon 
= webservices 
Google Cloud Platform 
EH Microsoft 
MM Azure 


Services in Public 
Clouds 


(a) 


API 
endpoints 


Machine-to-machine 
communication 
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Evolving security indicators 


Users should expect that the web is safe by default, and they'll be 
warned when there's an issue. 


Security Team 
oogle 


Ihttps://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html 
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Timeline of 
Chrome’s — 


O www.bbc.com 


Evolution 


Welcome to BBC.com 
July 2018 (Chrome 68) - All HTTP y 
sites marked 


Not Secure 


ma BBC - Homepage x + 
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Welcome to BBC.com 
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Timeline of 
Chrome's 
Evolution 


Sept 2018 (Chrome 69) - Secure sites 
marked neutral instead of the green 


0°20 © CertView | Qualys, Inc. 


>- C @ Secure https://www.qualys.com/certview/ 
© Qualys Cloud Platform 
© CertView | Qualys, Inc. x + 
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Timeline of 
Chrome's 
Evolution 


€ C (O Not secure example.com 


rome 70) = RED Password 
Not Secure | marker if user interacts 
with any input field 
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Timeline of Chrome’s Evolution 


Eventual treatment of all 
HTTP pages in Chrome: 


A Not secure example.com 
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Schedule to disable 
TLS 1.0 / 1.1 


* Chrome: Jan 2020 
e Firefox/Safari: March 2020 
e IE: First half of 2020 


TLS 1.3 Is faster and removes 
support for insecure features and 
ciphers 
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SSL Pulse 


The Good 


No SHAI or 1024 bit keys 


The Bad (-35% inadequate) 


Expired certificates: -5,200 

Expiring in the next 2 weeks: -4,500 
Weak/Insecure cipher suites: -4,200 
SSR Ssbvscsis 000 

TLSv1.0: -99,000 (7296) 

RC4 enabled: -22,000 (1696) 


Home Projects Qualys.com Contact 
Qualys. ssi Labs 
You are here: Home » Projects » SSL Pulse 


SSL Pulse 


SSL Pulse is a continuous and global dashboard for monitoring the quality of SSL / TLS support over time across 150,000 SSL- and TLS-enabled 
websites, based on Alexa's list of the most popular sites in the world. 


Monthly Scan: November 02, 2018 צר‎ 


SSL Security Summary SSL Labs Grade Distribution 


70% 
Total sites surveyed 
137,502 60% . Ml 
+12% 50% ₪ 
o Inadequate security 40% -m =. 2018 
.4 % of sites surv 
613% D ar - Tg 
20% ₪ 11,492 sites - 0.3 % 
Secure sites October 2018 
da SAR SA aie 10% 8.7 % (11,766 sites) 
88,424 0 = 
+06% 


© Qualys 


Dangers of Incomplete 
Security Solutions 


Hiding Malicious Malware Virus Botnet 
Actions Ransomware Trojan 
Hiding the Initial 
Before the call back to a CBC 


Hiding Data Exfiltration Bypass other controls such as DLP 
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Current State of Most Organizations 


Limited 
Visibility 


95% of organizations 


don't know where 
certs are in their 
networks 


Limited ownership 
information 


The unknown is 
difficult to manage 


Expirations 
Missed 


Unplanned 
outages 


Many more “near 
misses" 


Compliance 


Certificates from 
unapproved CAs 


Responding to 
audits are manually 
intensive exercises 


Reliance on 


Manual 
Processes 


Spreadsheets are 
error prone and 


out-of-date 


Expensive, not 


scalable as 
certificates 
increase 


Troubleshooting 


issues 5 
challenging 
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Ponemen 


The average Global 5,000 
company spends about $15 million 
to recover 
from the loss of business due to 
a certificate outage! 


Ihttp://www.csoonline.com/article/2987186/browser-security/ 
expired-certificates-cost-businesses-15-million-per-outage.html 
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Challenges of 
Existing Solutions 


Visibility 


Point tools, increasing effort and ownership costs 


Scalability 


| % f Operational silos 
© 0 ©) + Work in on-premises or cloud-only mode 


Require multiple or complex deployments to cover 
large environments 


Maturity 


Most solutions are off-the-shelf vulnerability-only or 
certificate-only "tools" 
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Single Pane of Glass 


What's DevOps 
doing, I just 
found 5,000 


We have no self-signed 


We can't Network is 


visibility into inspect certificates! down, 
certificates encrypted 2 Certificate 

outside the traffic expired 

firewall again! 
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Introducing 
Qualys CertView 


Discover, inventory, monitor 
certificates 


Discover, inventory, monitor host 
configurations & vulnerabilities 


Coverage across both on-premises 
and cloud environments 


Renew certificates from the same 
platform 


Certificate View DASHBOARD CERTIFICATES ASSETS Qualys Demo (quays_qd) 


> o 
TOTAL CERTIFICATES CERTIFICATES BY ISSUING AUTHORITIES 
CERTIFICATES BY EXPIRATION TOP 5 CERTIFICATES BY COMMON NAME 


INSTANCES 


CERTIFICATES BY HASHING ALGORITHM CERTIFICATES BY KEY LENGTH 
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Outage Remediation 


Certificate Grades 


Baseline Normal 
Usage/ 
Full Visibility 


Audits and Compliance 


Certificate Renewal 


Use Cases 


Stop expired certificates from interrupting business 


Find out if your TLS configurations are 
following best practices 


Establish a baseline to be able to detect anomalies 


Achieve audit success and fast remediation 


Renew expiring certificates 
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Key Advantages of 
Qualys CertView 


Certificate View v 


> e 


CERTIFICATES BY EXPIRATION GRADES. VULNERABILITIES BY SEVERITY 
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CERTIFICATES BY ALGORITHM TOP 5 CERTIFICATES BY COMMON NAME 


Sracsewinasa 


CERTIFICATE INSTANCES BY PORT 


Uses the same Qualys scanners 
already deployed for Vulnerability 
Management or Policy Compliance 


Qualys CertView meets much of 
the common use cases in version 1.0 
- and we're working on closing gaps 
quickly 


Certificate Enrollment/Renewal 
Releasing next month 


Simplified delivery through Qualys 
Cloud Platform - easy for existing 
VM/PC customers to trial and 
deploy 


Attractive Pricing 
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CertView Releases and Roadmap 


Q4 2018* 

CA Imports 
Enroll/Renew(Digicert) 
Approval workflow 
Scan Consolidation 


i 


T 


Q1 2019* 


A 


Pls 


Alerts 
Assign ownership 
Enroll/Renew (Comodo/ 
Let’sEncrypt) 
Certificate Validation 


Q2 2019* 
Enroll/Renew (Microsoft CA/ GoDaddy) 
ServiceNow CM 


DB integration 


Deploy on 


Apache 


i 


| 


Q3 2019* 
Cloud Agent support 
Enroll/Renew (Entrust/EJBCA) 
Deploy on IIS 
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DEMO 


Certificate View 
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